1CO. 


information Commissioners Office 


ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


Yes 


[| No 


Q2 If not, please specify where improvements could be made. 


Q3 Does the draft code cover the right issues about data sharing? 
Yes 


[| No 
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Q4 If no, what other issues would you like to be covered in it? 


Q5 Does the draft code contain the right level of detail? 
L] Yes 


K No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


There are several areas in code which have a wealth of information e.g. 
section on ‘data sharing agreements’. However, other parts of the code 
do not have the same level of detail in relation to the subject area. 


An example where more detail would be helpful is in the ‘security’ 
chapter. This is a key aspect of data sharing and the term will mean 
different things to different organisations. This chapter could include for 
example, more detail on why organisational and technical measures are 
important in data sharing arrangements to emphasise how this links to 
compliance with data protection law and in particular the accountability 
principle. This section also touches on the importance of a culture of 
privacy, but it would be helpful for it to also reference data protection 
by design (although reference is made in the ‘accountability’ section). 
This chapter may also benefit from further details on how to evaluate 
security measures in relation to data sharing. 


The ‘security’ chapter includes the heading ‘are we still responsible after 
we've shared the data?’ - however the resulting section does not 
provide a clear answer to the question and where the lines may lie for 
when a provider of data is responsible for compliance in relation to 
processing by the recipient. It indicates that the provider organisation 
has some responsibility for ensuring the continued protection of the 
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data but doesn’t explain where responsibility lies as between the parties 
Should something go wrong with processing by the recipient e.g. a 
personal data breach. This is an area where some practical examples of 
responsibilities of providers and recipients of data in relation to 
particular data sharing arrangements would be helpful. This is likely to 
be a key concern for many organisations when entering into data 
Sharing agreements. 


Further examples are mentioned below in response to other answers 
e.g. Q8 and Q10. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


[|] Yes 


K No 


Q8 If no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


The code would benefit from more detail on auditing and monitoring and 
its importance in relation to the accountability principle. 


The ‘accountability’ chapter suggests reviewing accountability measures 
regularly, however it would be helpful if it also mentioned that 
‘reviewing’ is itself an accountability measure. 


The ‘accountability’ section should be more explicit regarding monitoring 
data sharing agreements, for example to ensure they up-to-date and 
accurate. Monitoring would also include reviewing legal basis and other 
legal considerations, as well as monitoring the effectiveness of data 
sharing processes and arrangements. 


This section should also include the importance of staff awareness and 
training on particular data sharing arrangements, particularly where 
there is little or no dedicated data protection/privacy resource. Staff 
should feel confident in their understanding of when they can and 
cannot share data under particular arrangements. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 
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[1 Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


There are some good examples of best practice and the ‘data sharing 
agreements’ section in particular contains a good level of detail and 
practical support. There are also good examples of organisational and 
technical measures set out in the ‘security’ chapter (however see above 
our comments regarding linking these with specific compliance 
Obligations). 


This approach could be extended more throughout the code to bring 
more practical elements to complying with the law. There is references 
to large organisations, or organisations with complex processing seeking 
legal advice on restrictions and legal powers for data sharing. However, 
it would be helpful to set out how smaller organisations can identify 
these powers and restrictions e.g. through the work they may have 
done already on their Article 30 records, through industry specific 
guidance etc and link to other ICO guidance on this. This would help a 
wider range of organisations implement good practice data sharing 
processes with a focus on the practical ‘how to’ elements and be more 
aligned with the statement made at p10 of the code that ‘the majority 
of the code applies to all data sharing, regardless of its scale and 
context’. 


There appears to be some repetition in sections of the code e.g. last 
bullet on p4 relates to lawful basis as does the 4" bullet on p5. 


The code is quite lengthy, partly due to some repetition and the 
substantial introduction. The length of the code and the introduction 
may reduce engagement and subsequently limit its effectiveness. There 
are for example several references throughout the code on sharing in 
emergency situations and use of DPIAs which could perhaps be 
consolidated and be more concise. It may therefore be helpful to review 
the length. 


The code may also benefit from some sector specific sections which 
would allow some organisations to identify specific sections most 
relevant to them. 
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Qil Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


[| Yes 


K No 


Q12 If no, in what way does the draft code fail to strike this balance? 


It is clear that the code attempts to strike a balance, however there are 
statements in the code, particularly in relation to emergencies, which 
could result in decisions being made without due consideration of the 
entire data sharing framework e.g. confidentiality, human rights, other 
legal requirements. 


P14 and 15 of the code provides some examples of the benefits of 
certain arrangements which are all health care examples. However, the 
examples don’t set out the full context, including the lawful basis and 
the safeguards which would be required to ensure the arrangements 
were appropriate and that privacy rights are respected. The examples 
could therefore be misleading without providing more information about 
the safeguards etc. 


We recommend that the list of ‘misconceptions’ on p12 - 13 regarding 
data sharing and the responses to each of these is carefully reviewed as 
the examples may be better addressed more fully in specific sections of 
the code or by way of separate guidance. Some of the responses also 
do not appear quite right e.g. “This code helps you to balance the risks 
and benefits and implement data sharing if it is: 


e in the public interest; or 
e proportionate, in the case of sharing for commercial reasons.” 


However, many public sector data sharing arrangements will take place 
because there are legal powers and duties which permit or require data 
sharing and the question of proportionality is not limited to data sharing 
for commercial reasons. 


The use of the words ‘urgent’ and ‘emergency’ should be defined to 
prevent broad interpretation, particularly in relation to special 
categories data and public sector organisations. P80 - 81 describes 
disaster type scenarios, but it should also cover e.g. data sharing to 
protect an individual’s vital interests and safeguarding issues, which are 
scenarios organisations are likely to recognise and deal with. 
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Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


Yes 


[| No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


We would welcome the ‘at a glance’ section being explicit that a data 
sharing agreement is not in itself a legal basis to share data. 


‘information risk analysis’ (p48)- clarification required on whether this 
means a DPIA or a broader information risk assessment. 


It isn’t clear what the purpose of the ‘data ethics and data trusts’ 
section is. This section is quite vague and it is not clear to what extent it 
is applicable to GDPR compliant data sharing as it using phases such as 
‘bear in mind’. As this is an emerging area it may be more appropriate 
to address this with reference to separate guidance, which can be 
updated and expanded as this area develops, rather than by including it 
in the code. The code focuses on compliance and introducing ethics into 
this statutory document may cause confusion. 


It may be helpful to set out in relation to the section on DPIAs (p21) 
what the benefits of carrying out a DPIA are, other than where required 
by law, and expanding how the output from the DPIA eg risks and 
mitigations should be addressed in the data sharing arrangements. 


P22 makes reference to ‘anonymising’ and ‘anonymous’ data but does 
not provide details on how this is defined. 


P57 - 58 consider including references to a ‘power to receive data’ as 
well as power to share data. 


Q15 To what extent do you agree that the draft code is clear and easy 
o understand? 


cT 


Strongly agree 


C 

Agree 
O Neither agree nor disagree 
E 


Disagree 


B 
ICO. 
O Strongly disagree 


Q16 Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


O An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


NHS Digital (Health and Social Care Information Centre) 


Thank you for taking the time to share your views and experience. 


